SANS Digital Forensics and Incident Response Blog

Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Understanding the inner-workings of malicious code and the way malware on the infected system helps in deriving the indicators of compromise to locate malicious artifacts throughout the organizations. The process also allows security professionals to assess the scope, severity and repercussions of the incident, and may help the organization bring the parties responsible for the incident to justice.

Since I teach the Reverse-Engineering Malware course at SANS Institute and have been active in this field for some time, I am often asked how one could get started with malware analysis. Below are my recommendations.

Entering the Field of Malware Analysis

Malware analysts are in high demand in both government and private sectors. If you're not sure what the job entails, take a look at the typical malware analyst job description I put together, along with my tips on how to be successful in this field. The bad news is that most organizations only want to hire experienced malware analysts. If you're looking to get into the field, I recommend finding a job that is focused on other aspects of security, while at the same time exposing you to opportunities for reverse-engineering malware. Once you get some malware analysis experience that way, pursue a job that focuses on this aspect of information security.

On-line Malware Analysis Articles

You can learn a lot about malware analysis on-line. I wrote a number of articles on the topic, so allow me to walk you through them:

Books on Malware Analysis

There are also a few books you may want to explore to dig deeper into the topic of malware analysis, including:

Practical Malware Analysis offers an excellent step-by-step walk-through of the steps and tools useful for examining malware. This book is good to read before as well as after taking the SANS FOR610 course on this topic.

Malware Analyst's Cookbook provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.

If you have recommendations on how to get started with malware analysis, please leave a comment.

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

12 Comments

Jason

Great post for someone like me who is just discovering malware analysis, thanks! From what I can tell so far, it also seems like having a good understanding of assembly and how Windows works is important. Unfortunately, that's all new to me so that's where I'm having the most trouble. Can you (or anyone else) recommend any sites or books in those areas to add to the list?

Lenny Zeltser

Jason, great question. I am still looking for the perfect assembly and Windows primer that's good for people looking to get started with malware analysis. In the mean time, I posted a few recommendations here: http://blog.zeltser.com/post/1581504925/get-started-with-malware-analysis

James

Interest article ''" thanks. One thing that always puzzles me is that there is so much info available on delving into the malware binary, but few good articles on how you identify the malware on a computer with 100,000 files in the first place! Without an accurate infection date/time and with dozens of auto start locations on Windows, poor hash libraries etc ''" just finding the stuff in the first places is you first challenge! Do you just trust AV scanners to find it all? Perhaps you could address this in a future post.

Jason

Greg

Thanks for the information. For my current Malware Reverse engineering my final exam is to reverse one out of four pieces of Malware given to me by the professor. Lets just say I am in a better position after visiting the multiple links provided by Lenny and almost done with with my report. The code analysis section is the only part of the project that I am struggling with.The Analyst Cookbook and DVD has been a great addition to my learning also.

Michael

Great post Lenny. There are many books that don't deal specifically with malware analysis, but that can help you a great deal with understanding how malware works. I made a list of them here: http://www.malwarecookbook.com/?p=49

Mike

Like to throw in my two cents regarding JOBS in Malware Analysis. For those wishing to get into the field of Malware Analysis, you should start in a field that can lead you into the position. For example, I worked in a SOC for 7 years as a network analyst. Started off taking snort based IDPS alerts. Considering that many of the alerts were related to Botnet traffic, worms propagation etc. My curiosity and studying of Malware Analysis naturally came with it. I wrote snort signatures for our IDPS product and in an attempt to stay ahead of the game, would set up honeypots, research blacklisted domains and would set up virtual labs all in an attempt to learn more and more about Malware. My attempts paid off in that my last 2 years with the SOC I was promoted to being an Exploit Research analyst where the company paid for my taking of Lenny's course (GREM). Which was fantastic!I presently work as a Senior Malware Analyst for IBM Global.

Darryl Lane

Lenny this is the first book I read and felt it gave good understanding of Assembly "Hacking: The Art of Exploitation Book/CD Package 2nd Edition". I agree with Viet, I've only just started reading "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" and I'm finding it a great read.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue